hxxps://nicolasboucher[.]online/finance-cheat-sheet/

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nicolasboucher.online/finance-cheat-sheet/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133505286082754340"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
412	chrome.exe
412	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
412	chrome.exe
412	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 3536	412	chrome.exe	83
PID 412 wrote to memory of 3536	412	chrome.exe	83
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 1364	412	chrome.exe	88
PID 412 wrote to memory of 3764	412	chrome.exe	89
PID 412 wrote to memory of 3764	412	chrome.exe	89
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90
PID 412 wrote to memory of 2204	412	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://nicolasboucher.online/finance-cheat-sheet/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89ec29758,0x7ff89ec29768,0x7ff89ec29778
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1884,i,8221478915815247892,1029121042219939270,131072 /prefetch:2
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1884,i,8221478915815247892,1029121042219939270,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1884,i,8221478915815247892,1029121042219939270,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1884,i,8221478915815247892,1029121042219939270,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1884,i,8221478915815247892,1029121042219939270,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1884,i,8221478915815247892,1029121042219939270,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1884,i,8221478915815247892,1029121042219939270,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3420 --field-trial-handle=1884,i,8221478915815247892,1029121042219939270,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
9edfb8802b6d3422133fe3d613adeae5

SHA1
25ef8a9a875b587f114bc2955ecc616a776a0f5b

SHA256
ee078be6e56ccfbad6ea1522640ccce673d9bd6036db3df378e345ab968cbe3b

SHA512
0ca5d91bd40af64ab3a73ee4fc51ec8f4dc0543e9f106f31bc43e8c9afdd8da7634d87b216040bb69f5a93ee40b57a8a2f86d80369b9ba252449243afa893536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d209f1fcd79b5153c5c55dab341185d6

SHA1
9c95c0d6c4681d7e2caa52e637bcf8fc060a9e36

SHA256
b7dd5e1a4ce964373bd2e8dd53e77dfb99cdf366eb3e90f2a8cc59a073a2d450

SHA512
a6c16353d3e2cb1b1f7069388b6541f8991ae51e3194ac205a50fe008f959f7dc68b8af0dc2cabe0d1548e8138a27f34814340ab27a3798429bef332fea84b2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
092165f62a30f06dd6d8eba2c1c344f7

SHA1
5ead9900f7a4a5bf27fbde4320bf1646b9f5e112

SHA256
0ee5463c48f8b876d47e2067622a197c1e559a657aef5aa40802910b0009b3c4

SHA512
f9811f4766d0e62969709cbc0b09e650ab85fa480565aff59f416a544de4872b2797c29a89ddc13c9ee716f8c15f3060dad4f5073ee45569f810098d6eb35d3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0121ddf14ddc562aa8cb8cd0fc204bc6

SHA1
b85c59a564b7e787cf291d3219e4d05fab418fce

SHA256
ee2dea17b0f47e8ca729b500e3beb64ff602137300270717f8c58a6c76ea56be

SHA512
7064cd637175b4b13b748e13fc51e594d6c8ef7ed43883084cc84ca5ded9645306152a6cd45487025634a414db07b470e592e1e73d6af20b3ae3536afd2e1f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dbb6f80bfb674e737b30aa3939fec21c

SHA1
1f8c2838b47ffa1ca5b74f7f1c6fe65529d8d9fe

SHA256
4a18a3fbb8edee413d10f1be7266d0855646e954ebf809c3b6246c7cc403056c

SHA512
3c673fe01e6aac666e8fee5601e4ad53be67bb74196850e950266a49dadcd6a4d5e66fce1912bf1a6d0976210d2936f284ac53fb98c2985ec2dad3525830443b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
039edf0d67669986affae5c76d896aa0

SHA1
4ce79b3eba41c41a2022a61735275f6879412dfc

SHA256
0ecb445b11bbbe5ee5ffbe750a2c006b03851a329e28a6e2123d334239090ca4

SHA512
f91a1f6f02c23740c651a3b2103ef10b3f2eb1edb4d6fc1feb52e0ef17119fb714444bf4b398dadf79224acab1af8bf3e940982fcfcd8b771db3f651817e9822

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
06698b5a7f722dd24732fc0f1744fc47

SHA1
05a455c7ab529d5796ebb0ea78ae5b31efaa08ce

SHA256
a167d6740c5b47e2c0e215f1e7aa5d94cb2a1d5becf667f3576ba6816b8d69c1

SHA512
930a46ab8bf7bd487c859536f420d60babdecac7820cef11abce6b42876adff2dd2fc9c39e0cc0b002ee2fd7d7f72c8ab164a542bdd5b094e0a3aabc1a1317a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit